[stunnel-users] stunnel 5.44 + pppd client side problem

Thu Apr 11 21:52:59 CEST 2019

Trying to set up pppd link with stunnel wrapped between two OpenBSD 6.4amd64 machines.
I use this reference article as an idea: http://bremford.org/tips/QuickStunnelVPN.html

While connecting from client's side by command:
/usr/sbin/pppd ptypA 10.0.1.2: local debug noauth passive noccp novj novjccomp nopcomp noaccomp name ppp-clnt connect 'stunnel /etc/stunnel/stunnel-client.conf

stunnel-client starts, pppd starts on client's end according to stunnel-clnt.log, but has LCP timeouts:

# tail stunnel-clnt.log
stunnel: LOG5[ui]: Configuration successful
pppd[5421]: Connect: ppp2 <--> /dev/ptypA
pppd[5421]: LCP: timeout sending Config-Requests
pppd[5421]: Connection terminated.
pppd[5421]: Connect script failed

It seems no pppd pty client connection to stunnel-local nor remote stunnel-server afterwards. But when I tried to connect to stunnel-client port 1723 using telnet:
telnet localhost 1723
I received pppd advertisements from remote stunnel-server. It seems exec = /usr/sbin/pppd on stunnel-server is running when client's stunnel-client connection appeared.

Can it be a problem with pppd and stunnel-client using pty?

Please advice.

# cat /etc/stunnel/stunnel-server.conf

;chroot = /var/stunnel    # chroot is disabled for testing
;setuid = _stunnel    # stunnel started by root for testing currently
;setgid = _stunnel
; PID file is created inside the chroot jail (if enabled)
;pid = /stunnel.pid
foreground = yes
debug = 7
;output = log/stunnel.log     # disabled
sslVersion = TLSv1.2
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Enable support for the insecure SSLv3 protocol
;options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
; Fix for Eudora "error reading network" can be useful for changing packet length
options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

; *** TLS server mode services
[ppp]
accept = 723
exec = /usr/sbin/pppd
execargs = 10.0.1.1: local debug noauth
pty = yes
CAfile = /etc/stunnel/ca.crt
cert = /etc/stunnel/srv.crt
key = /etc/stunnel/private/srv.key
verifyChain = yes
TIMEOUTclose = 45

[default]
; HTTP connections
;ciphers = ALL
;options = CIPHER_SERVER_PREFERENCE
accept = 1111
connect = 127.0.0.1:80
CAfile = /etc/stunnel/ca.crt
cert = /etc/stunnel/srv.crt
key = /etc/stunnel/private/srv.key
verifyChain = yes
TIMEOUTclose = 0

[ntp]
connect = 127.0.0.1:123
sni = default:ntp
CAfile = /etc/stunnel/ca.crt
cert = /etc/stunnel/srv.crt
key = /etc/stunnel/private/srv.key
verifyChain = yes
TIMEOUTclose = 0
--------------------

# cat /etc/stunnel/stunnel-client.conf

chroot = /var/stunnel
setuid = _stunnel
setgid = _stunnel
pid = /stunnel-clnt.pid
foreground = yes
debug = 7
;output = log/stunnel-clnt.log
sslVersion = TLSv1.2
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Enable support for the insecure SSLv3 protocol
;options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
; Fix for Eudora "error reading network" can be useful for changing packet length
options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

[ppp]
client = yes
accept = 127.0.0.1:1723     # 'accept' is absent in client's configuration http://bremford.org/tips/QuickStunnelVPN.htmlbut stunnel reports: [!] Service [ppp]: Each service must define two endpoints on stunnel-5.44
connect = STUNNEL-SERVER-IP:723
CAfile = /etc/stunnel/ca.crt
cert = /etc/stunnel/client.crt
key = /etc/stunnel/client.key
verifyChain = yes
checkHost = hostna.me
;checkIP = 1.2.3.4
--------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190411/4365980a/attachment.html>